Web server

From SpinetiX Support Wiki

Jump to: navigation, search

This page is about external web servers usage. See also the player's embedded web server page.

Introduction

Web server can refer to hardware or software, or both of them working together.

  • On the hardware side, a web server is a computer that stores web server software and files (like HTML documents, images, videos, CSS and JavaScript files, etc.). It is connected to the Internet / local network and supports physical data interchange with other devices connected to the web / LAN.
  • On the software side, a web server includes several parts that control how web clients access hosted files, at minimum an HTTP server. An HTTP server is a piece of software that understands URLs (web addresses) and HTTP (the protocol your browser uses to view webpages). It can be accessed through the domain names (like mozilla.org) of websites it stores, and delivers their content to the end-user's device.

At the most basic level, whenever a client (e.g., browser) needs a file which is hosted on a web server, the client requests the file via HTTP. When the request reaches the correct web server (hardware), the HTTP server (software) accepts the request, finds the requested file (if it doesn't then a 404 response is returned), and sends it back to the client, also through HTTP.

The most common web servers are Apache and Microsoft IIS, but other products can also be used as long as they are HTTP compliant.

SpinetiX players feature an embedded web server (based on Apache) offering access to different player applications such as: player web interface, player content server, player APIs.

Transfer protocols

SpinetiX players can retrieve content from web servers via HTTP, HTTPS, and WebDAV application protocols.

HTTPS

All player models are able to access remote resources via HTTPS.

  • The list of trusted root certificates matches that of Firefox. Certificate validation can be controlled from Control CenterNetwork ⇾ Trusted Certificates page.
  • SSL with Virtual Hosts using Server Name Indication (SNI) is supported starting with firmware 3.1.0.
  • The OpenSSL version used by the player is not affected by the Heartbleed bug.

Authentication

Credentials configuration

The credentials to use when accessing resources from remote servers requiring authentication, are configured from:

Supported authentication methods

The players support the following methods for connecting to servers requiring authentication:

  • Basic access authentication
    HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header, obviating the need for handshakes. The BA mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with Base64 in transit, but not encrypted or hashed in any way. HTTPS is, therefore, typically preferred over or used in conjunction with Basic Authentication.
  • Digest access authentication
    Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of encryption, making it non-secure unless used in conjunction with SSL. Technically, digest authentication is an application of MD5 cryptographic hashing with usage of nonce values to prevent replay attacks. It uses the HTTP protocol.
  • NTLM (added in firmware 3.2.0)
    NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. NTLM is a challenge-response authentication protocol which uses three messages to authenticate a client in a connection oriented environment (connectionless is similar), and a fourth additional message if integrity is desired. NTLM is supported only over secured HTTP connections. Note that NTLM is an insecure protocol when not over SSL.
  • Form-based authentication (added in firmware 4.5.0)
    Form-based authentication for web pages is supported through the Web Robot engine.

Non-supported authentication methods

Other authentication methods like Kerberos, Integrated Windows Authentication, or SPNEGO are not supported.

  • Many Microsoft-based web services including SharePoint and Exchange are set to use Integrated Windows Authentication by default; this setting must be changed site-wide.
  • See these security considerations for reasons why using FORM based authentication with the HMP is not a good idea.

Troubleshooting

SSL errors

  • Server certificate verification failed: certificate has expired
    This happens when the server certificate is no longer valid - to solve this, a new server certificate must be issued.
  • Server certificate verification failed: certificate issued for a different hostname
    This happens when the server name doesn't match the one mentioned within the SSL certificate, for instance when using the server's IP address instead of its hostname - to solve this, use the server name as mentioned within the SSL certificate.
  • Server certificate verification failed: issuer is not trusted
    This happens when the server root certificate is not within the player built-in database of the root certificates of public certification authorities, for instance when the certificate was delivered by a private, or enterprise internal, certification authority. To solve this, you can add that root certificates on the player from HMP Control Center > Network > Trusted Certificates.
  • SSL handshake failed: SSL error code -1/1/336032856
    This can happen when the hostname reported by the server does not the match the hostname given in the SSL certificate. Make sure your server configuration uses correct values for "ServerName" and "NameVirtualHost".
  • SSL handshake failed: SSL error: unknown message digest algorithm
    The sha256WithRSAEncryption algorithm was not supported before 3.1.0 release. The solution is to update the firmware on the HMP or use sha1WithRSAEncryption algorithm when generating the certificate.

Technical notes

For reasons of stability, when retrieving content from a web server, the HMP uses a partial GET, using HTTP Range Header to specify the first 512kb of the file. Some older or wrongly configured servers do not understand this command and return a 500 error "Internal Server Error". The HMP will then retry the request for the entire file. For this reason, when using a server which reacts like this, the resources.log may include 500 errors, but the data is displayed successfully anyway. To remove the errors, the issue should be addressed on the server.
Microsoft IIS does not serve SVG files by default. If you find the resources.log file filled with 404 errors, but you are certain that the file exists on the web server, then you may need to configure IIS by adding the SVG MIME type. For more information, see this Microsoft Technet article.

See also

This page was last modified on 15 November 2023, at 17:53.